From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 06 Dec 2013 14:49:34 +0100 Subject: [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed In-Reply-To: <52A1D0EA.2000906@tresys.com> References: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> <1383990320-3340-25-git-send-email-dominick.grift@gmail.com> <52A1D0EA.2000906@tresys.com> Message-ID: <1386337774.2469.54.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2013-12-06 at 08:28 -0500, Christopher J. PeBenito wrote: > On 11/09/13 04:45, Dominick Grift wrote: > > Signed-off-by: Dominick Grift > > --- > > policy/modules/system/unconfined.te | 6 ++++++ > > policy/users | 7 ------- > > 2 files changed, 6 insertions(+), 7 deletions(-) > > > > diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te > > index 28a2188..4e4a4c5 100644 > > --- a/policy/modules/system/unconfined.te > > +++ b/policy/modules/system/unconfined.te > > @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) > > optional_policy(` > > unconfined_dbus_chat(unconfined_execmem_t) > > ') > > + > > +ifdef(`direct_sysadm_daemon',` > > + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) > > +',` > > + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) > > +') > > diff --git a/policy/users b/policy/users > > index 5db8cf4..25402af 100644 > > --- a/policy/users > > +++ b/policy/users > > @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0) > > gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) > > gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) > > > > -# Until order dependence is fixed for users: > > -ifdef(`direct_sysadm_daemon',` > > - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) > > -',` > > - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) > > -') > > - > > # > > # The following users correspond to Unix identities. > > # These identities are typically assigned as the user attribute > > I believe this will break monolithic build, otherwise I would have done it a long time ago. It would take a little work to implement user line moving in the build system to get this into the right place in policy.conf that checkpolicy expects. > > Alternatively, if semodule_expand was enhanced to output all of the files in the expanded policy, we could simplify refpolicy by doing a monolithic build by doing a modular build and then linking/expanding it locally. Then we'd get around the more painful ordering requirements of checkpolicy. > Ouch, i seem to not have tested that. i should follow my own advice. problem is monolithic builts take so long. Atleast with modular you can cheat by skipping the assertion checking (although i should not do that either) Do you think this error might be related to that? > /usr/bin/checkpolicy -M -U allow policy.conf -o policy.29 > /usr/bin/checkpolicy: loading policy configuration from policy.conf > policy/modules/roles/unprivuser.te":13:ERROR 'syntax error' at token 'typeattribute' on line 2436000: > typeattribute user_t domain; > #line 13 > checkpolicy: error(s) encountered while parsing configuration > make: *** [policy.29] Error 1 >